Thanks a lot. I will give it a try Pratik On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla <miconda(a)gmail.com

Dear Daniel, Now the new issue. Seems now openser is trying to talk with radius server. But still I am getting the one error in syslog which is as follows. rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812 Actually I have written only 128.185.38.162 in auth_server in radiusclient.conf. I don't know how this totisp.net is added. I haven't mentioned it anywhere. Please help me. Thanks. Regards, Pratik On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha <pratikdbl(a)gmail.com>wrote;wrote:

Dear Daniel, Yeah right. I totally forgot, its a reverse dns. Now I checked the radius server in debug mode and I cannot see any request from openser trying to connect to radius server. So, the request from openser is not reaching the radius server. Then I installed wireshark and checked the ip address 128.185.38.162<http://128-185-38-162.totisp.net:1812> (radius server ip add) in the server where openser was installed. There also I did not find any entry related to 128.185.38.16<http://128-185-38-162.totisp.net:1812> . So, it seems my configuration is wrong. I am sending you the configuration of openser.cfg and radiusclient.conf. openser.cfg SSH Secure Shell 3.2.3 (Build 279) Copyright (c) 2000-2003 SSH Communications Security Corp - http://www.ssh.com/ This copy of SSH Secure Shell is a non-commercial version. This version does not include PKI and PKCS #11 functionality. Linux isoftel-desktop 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux Ubuntu 10.04 LTS Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ Last login: Tue Aug 3 10:35:05 2010 from 192.168.0.148 isoftel@isoftel-desktop:~$ cd /usr/local/etc/openser/ isoftel@isoftel-desktop:/usr/local/etc/openser$ cat openser.cfg # # $Id$ # # radius config script # # ----------- global configuration parameters ------------------------ debug=6 # debug level (cmd line: -dddddddddd) log_stderror=yes # (cmd line: -E) check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=4 #listen=udp:localhost #alias="kamailio.org" fifo="/tmp/openser_fifo" # ------------------ module loading ---------------------------------- mpath="/usr/local/lib/openser/modules" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "avpops.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "xlog.so" loadmodule "uri.so" loadmodule "acc.so" loadmodule "auth.so" loadmodule "auth_radius.so" loadmodule "group_radius.so" loadmodule "avp_radius.so" # ----------------- setting module-specific parameters --------------- # -- usrloc params -- #modparam("usrloc","db_url","mysql://openser:openserrw@localhost/openser") modparam("usrloc", "db_mode", 2) # -- acc params -- modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 1) modparam("acc", "service_type", 15) modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") modparam("acc|auth_radius|group_radius|avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # -- group_radius params -- modparam("group_radius", "use_domain", 1) # -- avpops params -- modparam("avpops", "avp_aliases", "day=i:101;time=i:102") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # check if user is suspended if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")) { if (radius_is_user_in("From", "suspended")) { sl_send_reply("403", "Forbidden - suspended"); exit; }; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); if(is_method("BYE")) { # log it all the time acc_rad_request("200 ok"); acc_log_request("200 ok"); } route(1); }; if(is_method("INVITE") && !has_totag()) { # set the acc flags setflag(1); setflag(2); }; if (!uri==myself) { # check if user is allowed to do voip calls to other domains if(is_method("INVITE|MESSAGE")) { if (!radius_is_user_in("From", "voip")) { sl_send_reply("403", "Forbidden VoIP"); exit; }; }; # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { # authenticate registers if (method=="REGISTER") { if (!radius_www_authorize("")) { www_challenge("", "1"); exit; }; # check the src ip address if(!avp_check("i:2", "eq/$src_ip/ig")) { sl_send_reply("403", "Forbidden IP"); exit; }; save("location"); exit; }; # calls to pstn if(uri=~"sip:00[1-9][0-9]+@") { if(is_method("INVITE") && !has_totag()) { if (!radius_is_user_in("From", "pstn")) { sl_send_reply("403", "Forbidden PSTN"); exit; }; }; # set gateway address rewritehostport("localhost:5090"); route(1); }; # load callee's avps if(avp_load_radius("callee")) { # check if user has time filter enabled if(avp_check("i:3", "eq/i:1")) { # print time in an avp avp_printf("i:100", "$Tf"); # extract day avp_subst("i:100/i:101", "/(.{3}) .+/*\1*/"); if(!avp_check("i:6", "fm/$day")) { sl_send_reply("403", "Forbidden - day"); exit; }; # extract 'hours:minutes' avp_subst("i:100/i:102", "/(.{10}) (.{5}):.+/\2/"); if((is_avp_set("i:4") && avp_check("i:4", "gt/$time")) || (is_avp_set("i:5") && avp_check("i:5", "lt/$time"))) { sl_send_reply("403", "Forbidden - time"); exit; }; }; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # log to acc as missed call acc_rad_request("404 Not Found"); acc_log_request("404 Not Found"); sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); }; route(1); } # generic forward route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; } radiusclient-ng.conf # General settings # specify which authentication comes first respectively which # authentication is used. possible values are: "radius" and "local". # if you specify "radius,local" then the RADIUS server is asked # first then the local one. if only one keyword is specified only # this server is asked. auth_order radius #add 'local' with comma # maximum login tries a user has login_tries 4 # timeout for all login tries # if this time is exceeded the user is kicked out login_timeout 60 # name of the nologin file which when it exists disables logins. # it may be extended by the ttyname which will result in # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable # logins on /dev/ttyS2) nologin /etc/nologin # name of the issue file. it's only display when no username is passed # on the radlogin command line issue /etc/radiusclient-ng/issue # RADIUS settings # RADIUS server to use for authentication requests. this config # item can appear more then one time. if multiple servers are # defined they are tried in a round robin fashion if one # server is not answering. # optionally you can specify a the port number on which is remote # RADIUS listens separated by a colon from the hostname. if # no port is specified /etc/services is consulted of the radius # service. if this fails also a compiled in default is used. authserver 128.185.38.162 # RADIUS server to use for accouting requests. All that I # said for authserver applies, too. # acctserver 128.185.38.162 # file holding shared secrets used for the communication # between the RADIUS client and server servers /etc/radiusclient-ng/servers # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient-ng/dictionary # program to call for a RADIUS authenticated login login_radius /usr/sbin/login.radius # file which holds sequence number for communication with the # RADIUS server seqfile /var/run/radius.seq # file which specifies mapping between ttyname and NAS-Port attribute mapfile /etc/radiusclient-ng/port-id-map # default authentication realm to append to all usernames if no # realm was explicitly specified by the user # the radiusd directly form Livingston doesnt use any realms, so leave # it blank then default_realm # time to wait for a reply from the RADIUS server radius_timeout 10 # resend request this many times before trying the next server radius_retries 3 # local address from which radius packets have to be sent bindaddr localhost #change with 'localhost' # LOCAL settings # program to execute for local login # it must support the -f flag for preauthenticated login login_local /bin/login I have edited servers file also with the servername and secret. Thank you very much. Regards, Pratik On Mon, Aug 2, 2010 at 11:26 PM, Daniel-Constantin Mierla &lt;miconda(a)gmail.com > Hello, > > > On 8/2/10 12:36 PM, Pratik Shrestha wrote: > > Dear Daniel, > Now the new issue. Seems now openser is trying to talk with radius server. > But still I am getting the one error in syslog which is as follows. > > rc_send_server: no reply from RADIUS server 128-185-38-162.totisp.net:1812 > > Actually I have written only 128.185.38.162 in auth_server in > radiusclient.conf. I don't know how this totisp.net is added. I haven't > mentioned it anywhere. > > > probably reverse dns is done in the library, it is not relevant anyhow. Can > you start radius server in debug mode and see if it got some request? You > can also do a ngrep/wireshark on port 1812 of your radius server to watch > for network packets coming from kamailio. > > Cheers, > Daniel > > > > Please help me. > Thanks. > > Regards, > Pratik > > On Mon, Aug 2, 2010 at 11:44 AM, Pratik Shrestha &lt;pratikdbl(a)gmail.com&gt;wrote;wrote: > >> Dear Daniel, >> >> Before I work for the new version, I am first trying to configure old >> version of openser and radius. I am using openser version 1.0.1 and radius >> client version 0.5.1 and I am following the tutorial given in >> http://kamailio.net/docs/openser-radius-1.0.x.html. >> >> My freeradius server is in another machine and when I use radclient to >> check the user I made, I get the "Authenticated" message. >> But when I use X-lite and connect to openser, it seems openser is not >> talking with freeradius servers. I am sure the "secret" I am using is right >> as I have already tested from radclient. The log which I am getting in >> openser is as shown below >> >> 9(1986) SIP Request: >> 9(1986) method: <REGISTER> >> 9(1986) uri: <sip:192.168.0.56> >> 9(1986) version: <SIP/2.0> >> 9(1986) parse_headers: flags=2 >> 9(1986) Found param type 232, <branch> = >> <z9hG4bK-d8754z-c33212005635f16c-1---d8754z->; state=6 >> 9(1986) Found param type 235, <rport> = <n/a>; state=17 >> 9(1986) end of header reached, state=5 >> 9(1986) parse_headers: Via found, flags=2 >> 9(1986) parse_headers: this is the first via >> 9(1986) After parse_msg... >> 9(1986) preparing to run routing scripts... >> 9(1986) parse_headers: flags=100 >> 9(1986) DEBUG:maxfwd:is_maxfwd_present: value = 70 >> 9(1986) parse_headers: flags=10 >> 9(1986) DEBUG:parse_to:end of header reached, state=9 >> 9(1986) DEBUG: get_hdr_field: <To> [44]; uri=[sip:101%40kamailio.org@ >> 192.168.0.56] >> 9(1986) DEBUG: to body ["101"<sip:101%40kamailio.org@192.168.0.56> >> ] >> 9(1986) DEBUG: add_param: tag=cc6e4259 >> 9(1986) DEBUG:parse_to:end of header reached, state=29 >> 9(1986) radius_is_user_in(): Failure >> 9(1986) parse_headers: flags=200 >> 9(1986) get_hdr_field: cseq <CSeq>: <2> <REGISTER> >> 9(1986) DEBUG: get_hdr_body : content_length=0 >> 9(1986) found end of header >> 9(1986) find_first_route: No Route headers found >> 9(1986) loose_route: There is no Route HF >> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] >> == [127.0.0.1] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] >> == [192.168.0.56] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) grep_sock_info - checking if host==us: 12==9 && [192.168.0.56] >> == [127.0.0.1] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) grep_sock_info - checking if host==us: 12==12 && [192.168.0.56] >> == [192.168.0.56] >> 9(1986) grep_sock_info - checking if port 5060 matches port 5060 >> 9(1986) check_nonce(): comparing >> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] and >> [4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c] >> 9(1986) ERROR:auth_radius:radius_authorize_sterman: rc_auth failed >> 9(1986) build_auth_hf(): 'WWW-Authenticate: Digest realm="192.168.0.56", >> nonce="4c5649b2d78b205e6a5ca1c6dcdc54b84445dd9c" >> ' >> 9(1986) parse_headers: flags=ffffffffffffffff >> 9(1986) check_via_address(192.168.0.148, 192.168.182.3, 0) >> 9(1986) DEBUG:destroy_avp_list: destroying list (nil) >> 9(1986) receive_msg: cleaning up >> >> At freeradius also, no request goes from openser. >> >> Please advise me how to get rid of this problem. >> >> Best Regards, >> Pratik >> >> >> On Wed, Jul 28, 2010 at 5:56 PM, Pratik Shrestha &lt;pratikdbl(a)gmail.com&gt;wrote;wrote: >> >>> Thanks a lot. I will give it a try >>> >>> Pratik >>> >>> >>> On Wed, Jul 28, 2010 at 3:48 PM, Daniel-Constantin Mierla < >>> miconda(a)gmail.com>>> >>>> Hello, >>>> >>>> >>>> On 7/22/10 6:06 AM, Pratik Shrestha wrote: >>>> >>>>> Dear All, >>>>> >>>>> I am very new to OpenSer. I want to use latest version of OpenSer with >>>>> Radius. I need the documentation/tutorial on how to do this. Googling, Ionly >>>>> found for the old version. Please help me. >>>>> >>>> >>>> indeed, there is a rather old version: >>>> >>>> http://www.kamailio.org/docs/openser-radius-1.0.x.html >>>> >>>> What I can say now is that you can skip the part of installing kamailio >>>> and use next link instead: >>>> >>>> http://www.kamailio.org/dokuwiki/doku.php/install:kamailio-3.0.x-from-git >>>> >>>> Radius client library is now in most of common Linux distributions, so >>>> you can install it with the package manager (you need the devel headers as >>>> well, the -dev package). >>>> >>>> FreeRadius configuration should be more or less the same. >>>> >>>> The config of kamailio has changed quite a lot. Use the default one from >>>> kamailio, follow the WITH_AUTH define conditions and replace auth_db with >>>> auth_radius modules and functions. Also, the rest of radius modules were >>>> merged into misc_radius. For enabling radius acc, you need to recompile acc >>>> module after editing the Makefile in module directory. >>>> >>>> Hope it helps to start, ask here if you get stuck. >>>> >>>> >>>> Cheers, >>>> Daniel >>>> >>>> -- >>>> Daniel-Constantin Mierla >>>> http://www.asipto.com/ >>>> >>>> >>> >> > > -- > Daniel-Constantin Mierlahttp://www.asipto.com/ > >

here you have my notes for Kamailio 1.4 Hope this help. Regards Luciano Digest Autenticacion of users using Kamailio and freeRADIUS ============================================= freeRADIUS ----------------- - Add Kamailio host to freeRadius clients.conf - Include dictionary with kamailio avps. - Enable digest module in freeRadius http://wiki.freeradius.org/Digest - Add users to freeRadius users file 1001(a)lucio01.net Auth-Type := Digest, Cleartext-Password := "test123" Reply-Message = "Authenticated", Sip-Avp += "category:prepaid" 1002(a)lucio01.net Auth-Type := Digest, Cleartext-Password := "test123" Reply-Message = "Authenticated", Sip-Avp += "category:postpaid" Kamailio (1.4) --------------------- - Make sure radiusclient-ng is installed and configured in the machine running Kamailio. See radiusclient-ng_install_notes - How to configure for authentication using radius loadmodule "auth_radius.so" modparam("auth_radius", "radius_config", "/usr/local/etc/radiusclient-ng/radiusclient.conf") radius_www_authorize("lucio01.net") radius_proxy_authorize("lucio01.net") - How to get and use Sip-Avp loadmodule "avp_radius.so" loadmodule "avpops.so" xlog("category = $avp(s:category)"); if (avp_check("$avp(s:category)", "eq/s:prepaid/ig")) radiusclient-ng_install_notes ----------------------------------------- - Install radiusclent-ng from source ~# tar xvfz radiusclient-ng-X.Y.Z.tar.gz ~# cd radiusclient-ng-X.Y.Z ~# ./configure ~# make ~# make install - Configure authentication and accounting servers this client comunicates with. Edit /usr/local/etc/radiusclient-ng/radiusclient.conf and set address of authentication and accounting servers authserver homero.lucio01.net acctserver homero.lucio01.net - Configure shared secret to be used with servers this client comunicates with. Edit /usr/local/etc/radiusclient-ng/servers and add shared secret for each server the client comunicates with. homero.lucio01.net testing123 - Create dictionary to be used with kamailio and sippy b2bua Create a dictionary file and add the following attributes and values used in kamailio and sippy b2bua VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair 1 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id 24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin 26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time 29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-ivr-out 32 string Cisco ATTRIBUTE h323-credit-time 102 string Cisco ATTRIBUTE h323-return-code 103 string Cisco ATTRIBUTE h323-redirect-number 106 string Cisco ATTRIBUTE h323-preferred-lang 107 string Cisco ATTRIBUTE h323-billing-model 109 string Cisco ATTRIBUTE h323-currency 110 string Cisco # # Experiment SIP-specific attributes: # These attributes are tied between client & server # ATTRIBUTE Sip-Method 101 integer ATTRIBUTE Sip-Response-Code 102 integer ATTRIBUTE Sip-CSeq 103 string ATTRIBUTE Sip-To-Tag 104 string ATTRIBUTE Sip-From-Tag 105 string ATTRIBUTE Sip-Branch-ID 106 string ATTRIBUTE Sip-Translated-Request-URI 107 string ATTRIBUTE Sip-Source-IP-Address 108 ipaddr ATTRIBUTE Sip-Source-Port 109 integer ATTRIBUTE Sip-User-ID 110 string ATTRIBUTE Sip-User-Realm 111 string ATTRIBUTE Sip-User-Nonce 112 string ATTRIBUTE Sip-User-Method 113 string ATTRIBUTE Sip-User-Digest-URI 114 string ATTRIBUTE Sip-User-Nonce-Count 115 string ATTRIBUTE Sip-User-QOP 116 string ATTRIBUTE Sip-User-Opaque 117 string ATTRIBUTE Sip-User-Response 118 string ATTRIBUTE Sip-User-CNonce 119 string ATTRIBUTE Sip-URI-User 208 string ATTRIBUTE Sip-Group 211 string ATTRIBUTE Sip-RPId 213 string #### Kamailio #### ATTRIBUTE SIP-AVP 225 string # Proprietary, avp_radius ATTRIBUTE Digest-Response 206 string ATTRIBUTE Digest-Attributes 207 string ATTRIBUTE Digest-Realm 1063 string ATTRIBUTE Digest-Nonce 1064 string ATTRIBUTE Digest-Method 1065 string ATTRIBUTE Digest-URI 1066 string ATTRIBUTE Digest-QOP 1067 string ATTRIBUTE Digest-Algorithm 1068 string ATTRIBUTE Digest-Body-Digest 1069 string ATTRIBUTE Digest-CNonce 1070 string ATTRIBUTE Digest-Nonce-Count 1071 string ATTRIBUTE Digest-User-Name 1072 string ATTRIBUTE Digest-User-Password 1073 string # # Integer Translations # # SIP types VALUE Sip-Method Other 0 VALUE Sip-Method Invite 1 VALUE Sip-Method Cancel 2 VALUE Sip-Method Ack 3 VALUE Sip-Method Bye 4 VALUE Sip-Response-Code Other 0 VALUE Sip-Response-Code Invite 1 VALUE Sip-Response-Code Cancel 2 VALUE Sip-Response-Code Ack 3 VALUE Sip-Response-Code Bye 4 # User Types VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Call-Check 10 VALUE Service-Type Group-Check 12 VALUE Service-Type Sip-Session 15 VALUE Service-Type Authorize-Only 17 VALUE Service-Type SIP-Caller-AVPs 30 # Proprietary, avp_radius VALUE Service-Type SIP-Callee-AVPs 31 # Proprietary, avp_radius # Status Types VALUE Acct-Status-Type Failed 15 - Include dictionary defined in previous step to be used by radiusclient-ng Add to the end of radiusclient-ng dictionary file (/usr/local/etc/radiusclient-ng/dictionary) an include directive for the file created in the previous step $INCLUDE dictionary.luciano On Fri, Aug 6, 2010 at 7:06 AM, Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; wrote: